An increasingly important trend in healthcare is one of consumer/patient involvement at all levels of healthcare. People are taking a more active role in their own health management. This trend of patient empowerment has already been widely supported. A number of solutions, (see for example, Capmed, http://www.phrforme.com/index.asp, Medkey, http://www.medkey.com/ and Webmd, http://www.webmd.com) have been introduced into the market that allow patients to collect their own health-related information and to store them on portable devices, computers, and in online services. These solutions are often referred to as Personal Health Record (PHR) services. Already a number of products in the market allow patients to enter automatically measurements and other medical data into their PHRs, see for example, Lifesensor, https://www.lifesensor.com/en/us/, and healthvault, http://search.healthvault.com/. For example a weight-scale sends its information via Bluetooth to a computer, from which the data is uploaded to a PHR. This allows patients to collect and manage their health data, but even more importantly to share the data with various healthcare professionals involved in their treatment.
Another important trend in healthcare is that the delivery of healthcare has gradually extended from acute institutional care to outpatient care and home care. Advances in information and communication technologies have enabled remote healthcare services (telehealth) including telemedicine and remote patient monitoring. A number of services in the market already deploy telehealth infrastructures where the measurement devices are connected via home hubs to remote backend servers. Health care providers use this architecture to remotely access the measurement data and help the patients. Examples are disease management services (such as Philips Motiva and PTS) or emergency response services (Philips Lifeline).
Interoperability of measurement devices, home hubs and backend services becomes very important for enabling and further growth of this market. This need is recognized by the Continua health alliance, see http://www.continuaalliance.org, for example. As shown in FIG. 1, this initiative aim to standardize protocols between measurement devices, home hub (application hosting) devices, online healthcare/wellness services (WAN) and health record devices (PHRs/EHRs). In addition to data format and exchange issues, the Continua alliance is also addressing security and safety issues.
One of the basic security and safety problems in the domain of telehealth is the problem of user and device authentication/identification. Namely, when data remotely measured by patients is used by telehealth services or in the medical professional world, the healthcare providers need to place greater trust in information that patients report. In particular, they have to be ensured that a measurement is coming from the right patient and that appropriate device was used to take the measurement. Consider a blood pressure measurement; it is crucial to know that the blood pressure of a registered user is measured (not of his friends/children), and that the measurement was taken by a certified device and not a cheap fake device. This is very important, because otherwise there can result critical health care decisions based on wrong data.
In current practice, a device identifier (device ID) is either used as a user identifier (user ID) or as a means to derive a user ID (if multiple users are using the same device). For example, in the Continua system, as described in “Continua Health Alliance, Recommendations for Proper User Identification in Continua Version 1—PAN and xHR interfaces (Draft v.01)”, December 2007, at the PAN interface, as shown in FIG. 1, each Continua device is required to send its own unique device ID. The user ID is optional (and can be just simple as 1, 2, A, B). The valid user ID is obtained at the hub device (application hosting device), which can provide mapping between a simple user ID associated with a device ID to a valid user ID. There might be also measurement devices that can send a valid user ID next to the device ID. Then the mapping is not needed.
There are several problems with the current approach. For example, the current approach does not support authentication of users/devices, it only appends the user ID to the measurement. Data provenance is not established, as a healthcare provider later in the process cannot securely find which device was used to create the measurement. Next to that, the current mapping approach does not quickly lock the user and device ID together, but it introduces room for mistakes. Either a user makes an unintended mistake (if manual mapping is required—the user has to select his ID (1 or A) at application hosting device or measurement device for each measurement) or the system can mix the users (the application designer should take special care to provide data management in a way to reduce the potential for associating measurements to the wrong user). In this type of arrangement, it is possible for a malicious user to introduce wrong measurements by impersonating the real user. Similarly, the device ID can be copied to forged devices, which can be easily introduced in the eco system. Then a user can use these devices to produce data that will look reliable but in fact will be unreliable.
It is therefore an object of the invention to improve upon the known art.
According to a first aspect of the present invention, there is provided a method of authenticating a device and a user comprising receiving a user input, generating a first key from the user input, performing a physical measurement of the device, obtaining helper data for the device, computing a second key from the physical measurement and the helper data, and performing an operation using the first and second keys.
According to a second aspect of the present invention, there is provided a system for authenticating a device and a user comprising a user interface arranged to receive a user input, a query component arranged to perform a physical measurement of the device, and a processing component connected to the user interface and the query component, and arranged to generate a first key from the user input, to obtain helper data for the device, to compute a second key from the physical measurement and the helper data, and to perform an operation using the first and second keys.
According to a third aspect of the present invention, there is provided a method of registering a device and a user comprising receiving a user input, generating a first key from the user input, performing a physical measurement of the device, generating a second key and helper data for the device from the physical measurement, performing an operation using the first and second keys, and transmitting an output of the operation to a remote data store.
According to a fourth aspect of the present invention, there is provided a system for registering a device and a user comprising a user interface arranged to receive a user input, a query component arranged to perform a physical measurement of the device, and a processing component arranged to generate a first key from the user input, to generate a second key and helper data for the device from the physical measurement, to perform an operation using the first and second keys, and to transmit an output of the operation to a remote data store.
Owing to the invention, it is possible to bind the identity of a user and a device so as to certify that data originating from the device originates from the particular device and the particular user. This supports data quality assurance and reliability in personal healthcare applications. In this system, there is delivered a method to bind the identity of a user and a device identifier as early as possible, so as to certify that data originating from the device originates from the particular device and the particular user. To ensure proper device and user authentication/identification it is possible to use a Physically Uncloneable Function (PUF, described in detail below) in combination with a user input.
As a result there is covered the three problems from the prior art by providing respectively, close coupling of the user ID and the identification of the device used to take the measurement (the use of unregistered device/user is immediately detected), strong user authentication and anti-counterfeiting and strong device authentication. This has the following benefits, patient safety (diagnosis and health decisions are based on reliable data), reduction of costs (reuse of patient provided data in the consumer health and the professional healthcare domain) and convenience for the patient (they can take healthcare measurements at home).
In a preferred embodiment, the step of receiving a user input comprises performing a biometric measurement of the user and the step of generating a first key from the user input comprises obtaining helper data for the user and computing the first key from the biometric measurement and the user helper data. The user of a biometric measurement, such as a fingerprint, increases the security of the system and ensures that any data taken from an individual is authenticated as being from that specific individual, when the data is analyzed by a remote health system.
Advantageously, the method comprises performing a defined function on the first and second keys to obtain a third key. The security of the system can be increased if the two keys, one from the device and one from the user are combined together to create a third key, prior to any transmittal to a remote location. The combination can be performed according to a function of both inputs. Such function can be for example: (i) the concatenation of both strings, the XORing of both strings, the concatenation of both strings and subsequent hashing of the resulting string, the XORing of both strings and then hashing the resulting string, the encryption of one string according to an encryption algorithm (e.g. the Advanced Encryption Standard) using as key one of the strings and as plaintext the second string, etc.
In a further embodiment, the step of receiving a user input comprises receiving a password and the step of generating a first key from the user input comprises computing the first key from the password. Rather than using biometric data, a simple password can be used to authenticate the user. Although this does not have the highest level of security associated with using the biometric data, this still provides a system that is an improvement over current known systems.
Ideally, the step of obtaining helper data for the device comprises computing the helper data from the first key and a stored component. The key for the device (the second key) is created from the physical measurement performed on the device and the helper data. If the helper data is reconstructed from the first key (from the user) and some stored component, then the security of the system of authenticating the device and user is increased, because the helper data is never stored in the clear.
Advantageously, the method further comprises obtaining a user share, obtaining a device share, and performing a defined function on the user share, device share, first and second keys to obtain a third key. The use of a user share and device share allows more than one device to be authenticated to a specific user, which increases the efficiency of the registration and authentication system.